Risk Management Model in ITIL

Risk Management Model in ITIL

Sarah Vilarinho (IST, Portugal) and Miguel Mira da Silva (IST/INOV, Portugal)
DOI: 10.4018/978-1-4666-3664-4.ch013
OnDemand PDF Download:
List Price: $37.50


ITIL is considered a framework of Best Practice guidance for IT Service Management, and it is widely used in the business world. In spite of this, ITIL has some gaps in Risk Management specification. This chapter approaches this problem in ITIL and compares IT risk management in ITIL to other IT Governance Frameworks. Despite ITIL stating that risk should be identified, measured, and mitigated, it is not clear on how to proceed (no concrete process is defined on how to deal with risk). To solve this, the authors propose to map the M_o_R risk management framework in ITIL, mapping every M_o_R process in ITIL, therefore adopting a strong risk management in ITIL, based on concrete guidelines, without changing the framework. In this chapter, the authors summarize the necessary guidelines and show a planning for future work.
Chapter Preview

1. Problem

All organizations want some standards that alert their clients to the organization’s quality processes. In the case of risk management and IT Governance, we have the ISO 31000 and 20000. To implement ISO 20000, ITIL is usually the option. However, risk management is not clearly shown because there is not an obvious way to implement risk management in ITIL.

Despite risk management being referenced in some of the ITIL books (Office of Government Commerce, 2007), mainly in Operation (Office of Government Commerce, 2007) and Continual Service improvement (Office of Government Commerce, 2007), this approach is not explained enough for the organizations to implement risk management without following specialized guidelines for it.

So an issue comes up: How to adopt a strong risk management in ITIL, in an integrated, effective and efficient way, without changing the framework, so that organizations do not have to use another mechanism for risk management?


History tells us that many fatal IT risks in organizations are associated to business strategies. For this reason, it is not really possible to separate best-practice risk management from best-practice IT governance (Crouhy, Galai, & Mark, 2005). There are some IT governance frameworks that have a very strong risk management component, such as COBIT and OCTAVE (Kouns, Minoli, & Daniel, 2010), and, despite ITIL not having a very clear risk management approach, some ITIL processes obviously incorporate it.

Complete Chapter List

Search this Book: